Backed by many of the worlds largest companies for more than a decade SPDX formally becomes an internationally recognized ISOIEC JTC 1 standard during a transformational time for software and supply chain security.
SAN FRANCISCO September 9 2021 The Linux Foundation Joint Development Foundation and the SPDX community today announced the Software Package Data Exchange SPDX specification has been published as ISOIEC 59622021 and recognized as the international open standard for security license compliance and other software supply chain artifacts. ISOIEC JTC 1 is an independent non-governmental standards body.
Intel Microsoft Siemens Sony Synopsys VMware and WindRiver are just a small sample of the companies already using SPDX to communicate Software Bill of Materials SBOM information in policies or tools to ensure compliant secure development across global software supply chains.
SPDX plays an important role in building more trust and transparency in how software is created distributed and consumed throughout supply chains. The transition from a de-facto industry standard to a formal ISOIEC JTC 1 standard positions SPDX for dramatically increased adoption in the global arena said Jim Zemlin executive director the Linux Foundation. SPDX is now perfectly positioned to support international requirements for software security and integrity across the supply chain.